2929a3c0bd
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
41 lines
1.1 KiB
YAML
41 lines
1.1 KiB
YAML
name: "Lint"
|
|
|
|
# any branch is useful for testing before a PR is submitted
|
|
on: [push, pull_request]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
lint-package-lock:
|
|
# run on pushes to any branch
|
|
# run on PRs from external forks
|
|
if: |
|
|
(github.event_name != 'pull_request')
|
|
|| (github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id)
|
|
name: package-lock.json
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
-
|
|
name: Checkout repository
|
|
uses: actions/checkout@v3
|
|
-
|
|
uses: actions/setup-node@v3
|
|
with:
|
|
node-version: 12
|
|
cache: 'npm'
|
|
cache-dependency-path: |
|
|
src/package-lock.json
|
|
src/bin/doc/package-lock.json
|
|
-
|
|
name: Install lockfile-lint
|
|
run: npm install --no-save lockfile-lint
|
|
-
|
|
name: Run lockfile-lint on package-lock.json
|
|
run: >
|
|
npx lockfile-lint
|
|
--path src/package-lock.json
|
|
--allowed-hosts npm
|
|
--allowed-schemes https:
|
|
--allowed-schemes github:
|
|
--allowed-urls github:mapbox/node-sqlite3#593c9d498be2510d286349134537e3bf89401c4a
|